[native-image] Fatal error: javax.crypto.JceSecurity.getCodeBase(Class) is reached at runtime.

[hhandoko]

I'm getting the error below while compiling into native-image:

Fatal error: javax.crypto.JceSecurity.getCodeBase(Class) is reached at runtime. This should not happen. The contents of JceSecurity.verificationResults are computed and cached at image build time. Try enabling all security services with --enable-all-security-services.

I've enabled the option as per instructions but the error persists. I've also tried using other options such as --enable-https to no effect.

My native-image options can be found here: https://github.com/hhandoko/scala-http4s-realworld-example-app/blob/feature/get_current_user/scripts/graal/bin/dist.sh#L54

https://github.com/hhandoko/scala-http4s-realworld-example-app/tree/b4abb5868e14fba0d62ef4e7d106ca45545da17f

Thanks in advance for the help!

Edit:
2019-04-14 - Deleted feature branch, added link to the last commit with the older implementation.

Notes:
[1] - Similar issue was logged in the past which seems to fix the issue for them (but not for me), #824
[2] - Native image compilation is tested against RC13, RC14, RC15

[hhandoko]

Additional information:

Error is gone after switching JWT token generation library to java-jwt [1] from jwt-scala [2]. The following message was printed instead:

WARNING: The sunec native library, required by the SunEC provider, could not be loaded. This library is usually shipped as part of the JDK and can be found under <JAVA_HOME>/jre/lib/<platform>/libsunec.so. It is loaded at run time via System.loadLibrary("sunec"), the first time services from SunEC are accessed. To use this provider's services the java.library.path system property needs to be set accordingly to point to a location that contains libsunec.so. Note that if java.library.path is not set it defaults to the current working directory.

Notes:
[1] - https://github.com/auth0/java-jwt
[2] - https://github.com/pauldijou/jwt-scala

[hhandoko]

I've since merged and deleted the feature branch, here is the commit which contains the jwt-scala implementation:

https://github.com/hhandoko/scala-http4s-realworld-example-app/tree/b4abb5868e14fba0d62ef4e7d106ca45545da17f

[kipz]

I'm experiencing what I think is the same issue using bouncy-castle to sign JWT's (with --enable-url-protocols=https and --enable-all-security-services as options):

Fatal error: javax.crypto.JceSecurity.getCodeBase(Class) is reached at runtime. This should not happen. The contents of JceSecurity.verificationResults are computed and cached at image build time. Try enabling all security services with --enable-all-security-services.

JavaFrameAnchor dump:

  No anchors
  
TopFrame info:

  Lookup TotalFrameSize in CodeInfoTable:
  SourceTotalFrameSize 32
  
VMThreads info:

  VMThread 00007fc224000b20  STATUS_IN_NATIVE  java.lang.Thread@0x7fc22c6a27b0
  VMThread 0000564e06f08260  STATUS_IN_JAVA (safepoints disabled)  java.lang.Thread@0x564e0625dca8
  
VM Thread State for current thread 0000564e06f08260:

  0 (8 bytes): com.oracle.svm.jni.JNIThreadLocalEnvironment.jniFunctions = (bytes) 
    0000564e06f08260: 0000564e06f0c650
  
  8 (32 bytes): com.oracle.svm.core.genscavenge.ThreadLocalAllocation.pinnedTLAB = (bytes) 
    0000564e06f08268: 0000000000000000 0000000000000000
    0000564e06f08278: 0000000000000000 0000000000000000
    
  
  40 (32 bytes): com.oracle.svm.core.genscavenge.ThreadLocalAllocation.regularTLAB = (bytes) 
    0000564e06f08288: 00007fc22b800000 00007fc22b900000
    0000564e06f08298: 00007fc22b844f00 0000000000000000
    
  
  72 (8 bytes): com.oracle.svm.core.genscavenge.PinnedAllocatorImpl.openPinnedAllocator = (Object) null
  80 (8 bytes): com.oracle.svm.core.heap.NoAllocationVerifier.openVerifiers = (Object) null
  88 (8 bytes): com.oracle.svm.core.jdk.IdentityHashCodeSupport.hashCodeGeneratorTL = (Object) java.util.SplittableRandom  00007fc22ce9cc70
  96 (8 bytes): com.oracle.svm.core.snippets.SnippetRuntime.currentException = (Object) null
  104 (8 bytes): com.oracle.svm.core.thread.JavaThreads.currentThread = (Object) java.lang.Thread  0000564e0625dca8
  112 (8 bytes): com.oracle.svm.core.thread.ThreadingSupportImpl.activeTimer = (Object) null
  120 (8 bytes): com.oracle.svm.jni.JNIThreadLocalHandles.handles = (Object) com.oracle.svm.core.handles.ThreadLocalHandles  00007fc22c65f220
  128 (8 bytes): com.oracle.svm.jni.JNIThreadLocalPendingException.pendingException = (Object) null
  136 (8 bytes): com.oracle.svm.jni.JNIThreadLocalPinnedObjects.pinnedObjectsListHead = (Object) null
  144 (8 bytes): com.oracle.svm.jni.JNIThreadOwnedMonitors.ownedMonitors = (Object) null
  152 (8 bytes): com.oracle.svm.core.genscavenge.ThreadLocalAllocation.freeList = (Word) 0  0000000000000000
  160 (8 bytes): com.oracle.svm.core.graal.snippets.StackOverflowCheckImpl.stackBoundaryTL = (Word) 1  0000000000000001
  168 (8 bytes): com.oracle.svm.core.stack.JavaFrameAnchors.lastAnchor = (Word) 0  0000000000000000
  176 (8 bytes): com.oracle.svm.core.thread.VMThreads.IsolateTL = (Word) 94893101010944  0000564e0593d000
  184 (8 bytes): com.oracle.svm.core.thread.VMThreads.OSThreadIdTL = (Word) 140471954354752  00007fc22cf0b240
  192 (8 bytes): com.oracle.svm.core.thread.VMThreads.nextTL = (Word) 0  0000000000000000
  200 (4 bytes): com.oracle.svm.core.graal.snippets.StackOverflowCheckImpl.yellowZoneStateTL = (int) -16843010  fefefefe
  204 (4 bytes): com.oracle.svm.core.snippets.ImplicitExceptions.implicitExceptionsAreFatal = (int) 0  00000000
  208 (4 bytes): com.oracle.svm.core.thread.Safepoint.safepointRequested = (int) -1367463  ffeb2259
  212 (4 bytes): com.oracle.svm.core.thread.Safepoint.safepointRequestedValueBeforeSafepoint = (int) 0  00000000
  216 (4 bytes): com.oracle.svm.core.thread.ThreadingSupportImpl.currentPauseDepth = (int) 0  00000000
  220 (4 bytes): com.oracle.svm.core.thread.VMOperationControl.isLockOwner = (int) 0  00000000
  224 (4 bytes): com.oracle.svm.core.thread.VMThreads$StatusSupport.safepointsDisabledTL = (int) 1  00000001
  228 (4 bytes): com.oracle.svm.core.thread.VMThreads$StatusSupport.statusTL = (int) 1  00000001
  
VMOperation dump:

  No VMOperation in progress
  
Dump Counters:

  
Raw Stacktrace:

  00007ffe00562fe0: 0000564e064e5a50 00007fc22b844cd8
  00007ffe00562ff0: 0000564e0593d000 0000564e04f13a3c
  00007ffe00563000: 00007fc22b844cd8 0000564e04ed3bb2
  00007ffe00563010: 0000564e0638d220 0000000000919e90
  00007ffe00563020: 0000564e064e5a50 00007fc22b844cd8
  00007ffe00563030: 0000564e05f03818 0000564e05385ab7
  00007ffe00563040: 00007fc22b8441f0 0000564e055d62da
  00007ffe00563050: 00007fc22b844260 0000564e06269248
  00007ffe00563060: 0000564e06269208 0000564e05f03750
  00007ffe00563070: 0000564e064e5a50 0000564e0538e850
  00007ffe00563080: 00007fc22b843b38 000000030593d000
  00007ffe00563090: 0000000000000010 0000564e06537d88
  00007ffe005630a0: 0000000000000010 0000000000000010
  00007ffe005630b0: 00007fc22b8441b0 0000564e0593d000
  00007ffe005630c0: 00007fc22b844180 0000564e0538dbf8
  00007ffe005630d0: 00007fc22b843f88 0000564e052468a0
  00007ffe005630e0: 0000564e05fc1d60 0000000100000100
  00007ffe005630f0: 00007fc22b8440a8 0000564e05f072a8
  00007ffe00563100: 00007fc22b844180 0000564e05498539
  00007ffe00563110: 0000564e059ccd68 00007fc22b842db0
  00007ffe00563120: 000000072b843f88 00007fc22b844180
  00007ffe00563130: 00007fc22b8440c0 000000000000000b
  00007ffe00563140: 00007fc22b8440a8 000000202b842db0
  00007ffe00563150: 0000564e05ef5a50 00007fc22b8432d0
  00007ffe00563160: 00007fc22b842f68 0000564e05497baa
  00007ffe00563170: 00007fc22b843f00 0000564e0536a3f5
  00007ffe00563180: 0000000000108bf0 0000297425f068a8
  00007ffe00563190: 0000564e05ef5a50 00007fc22b844068
  00007ffe005631a0: 0000564e05ef42c8 0000564e05ef6a40
  00007ffe005631b0: 0000564e05ef42c8 0000564e05ef42c8
  00007ffe005631c0: 0000564e05ef7088 00007fc22b842ef0
  00007ffe005631d0: 00007fc22b842d98 00007fc22b8432d0
  00007ffe005631e0: 00007fc22b8427e0 00007fc22b842f68
  00007ffe005631f0: 000000002b843f00 0000564e05496cc1
  00007ffe00563200: 00007fc22b843c88 000000010000000a
  00007ffe00563210: 00007fc22b842ef0 00007fc22b8427e0
  00007ffe00563220: 00007fc22b844040 0000564e0548a9d8
  00007ffe00563230: 00007fc22b843f60 0000564e0535dcd7
  00007ffe00563240: 0000297425f00a20 00007fc22b83da20
  00007ffe00563250: 000000000076fe28 00007fc22b8439b0
  00007ffe00563260: 00007fc22b842f10 0000564e04f5e029
  00007ffe00563270: 00007fc22b843e30 0000564e0535ed4d
  00007ffe00563280: 00007fc22b843c88 0000564e052468a0
  00007ffe00563290: 00007fc22b842f10 0000564e0642a1e8
  00007ffe005632a0: 00007fc22b844028 0000564e050b82af
  00007ffe005632b0: 00007fc22b843f88 0000564e05246f6a
  00007ffe005632c0: 000000010645b9e8 00007fc22b844028
  00007ffe005632d0: 00007fc22b844028 00007fc22b842f10
  00007ffe005632e0: 00007fc22b843be0 0000564e04e20cd9
  00007ffe005632f0: 00007fc22b843ec8 0000564e0535e284
  00007ffe00563300: 00007fc22b843d38 0000564e0603fbf0
  00007ffe00563310: 00007fc22b843be0 0000564e06269138
  00007ffe00563320: 0000564e0645b9e8 00007fc22b844028
  00007ffe00563330: 00007fc22b843e30 00007fc22b843be0
  00007ffe00563340: 0000564e0604b068 00007fc22b8439d8
  00007ffe00563350: 00007fc22b842f10 00007fc22b843f88
  00007ffe00563360: 0000564e05eeb1b8 0000564e04e20383
  00007ffe00563370: 00007fc22b803ba8 0000564e04de9c4f
  00007ffe00563380: 00007fc22b8439d8 0000564e05eeb1b8
  00007ffe00563390: 00007fc22b842f10 0000564e04d1e12c
  00007ffe005633a0: 00007fc22b803af0 00000000006ffcc0
  00007ffe005633b0: 00007fc22b803af0 0000564e05eeb1b8
  00007ffe005633c0: 00007fc22b842f10 0000564e062577d8
  00007ffe005633d0: 000000012ce15120 00007fc22b8354b0
  
Stacktrace Stage0:

  RSP 00007ffe00562fe0 RIP 0000564e04f13ab9 FrameSize 32
  RSP 00007ffe00563000 RIP 0000564e04f13a3c FrameSize 16
  RSP 00007ffe00563010 RIP 0000564e04ed3bb2 FrameSize 48
  RSP 00007ffe00563040 RIP 0000564e05385ab7 FrameSize 64
  RSP 00007ffe00563080 RIP 0000564e0538e850 FrameSize 80
  RSP 00007ffe005630d0 RIP 0000564e0538dbf8 FrameSize 64
  RSP 00007ffe00563110 RIP 0000564e05498539 FrameSize 96
  RSP 00007ffe00563170 RIP 0000564e05497baa FrameSize 144
  RSP 00007ffe00563200 RIP 0000564e05496cc1 FrameSize 48
  RSP 00007ffe00563230 RIP 0000564e0548a9d8 FrameSize 64
  RSP 00007ffe00563270 RIP 0000564e04f5e029 FrameSize 64
  RSP 00007ffe005632b0 RIP 0000564e050b82af FrameSize 64
  RSP 00007ffe005632f0 RIP 0000564e04e20cd9 FrameSize 128
  RSP 00007ffe00563370 RIP 0000564e04e20383 FrameSize 48
  RSP 00007ffe005633a0 RIP 0000564e04d1e12c FrameSize 80
  RSP 00007ffe005633f0 RIP 0000564e04d1d594 FrameSize 48
  RSP 00007ffe00563420 RIP 0000564e04e68b03 FrameSize 64
  RSP 00007ffe00563460 RIP 0000564e053c30bd FrameSize 48
  RSP 00007ffe00563490 RIP 0000564e053c21fe FrameSize 64
  RSP 00007ffe005634d0 RIP 0000564e053c215b FrameSize 64
  RSP 00007ffe00563510 RIP 0000564e04daa8d2 FrameSize 336
  RSP 00007ffe00563660 RIP 0000564e04da9cbc FrameSize 32
  RSP 00007ffe00563680 RIP 0000564e053c22da FrameSize 32
  RSP 00007ffe005636a0 RIP 0000564e04e9a365 FrameSize 64
  RSP 00007ffe005636e0 RIP 0000564e04eaf0d7 FrameSize 1
  
Stacktrace Stage1:

  RSP 00007ffe00562fe0 RIP 0000564e04f13ab9  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563000 RIP 0000564e04f13a3c  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563010 RIP 0000564e04ed3bb2  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563040 RIP 0000564e05385ab7  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563080 RIP 0000564e0538e850  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005630d0 RIP 0000564e0538dbf8  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563110 RIP 0000564e05498539  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563170 RIP 0000564e05497baa  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563200 RIP 0000564e05496cc1  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563230 RIP 0000564e0548a9d8  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563270 RIP 0000564e04f5e029  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005632b0 RIP 0000564e050b82af  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005632f0 RIP 0000564e04e20cd9  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563370 RIP 0000564e04e20383  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005633a0 RIP 0000564e04d1e12c  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005633f0 RIP 0000564e04d1d594  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563420 RIP 0000564e04e68b03  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563460 RIP 0000564e053c30bd  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563490 RIP 0000564e053c21fe  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005634d0 RIP 0000564e053c215b  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563510 RIP 0000564e04daa8d2  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563660 RIP 0000564e04da9cbc  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe00563680 RIP 0000564e053c22da  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005636a0 RIP 0000564e04e9a365  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  RSP 00007ffe005636e0 RIP 0000564e04eaf0d7  com.oracle.svm.core.code.ImageCodeInfo@0x564e060623c8 name = image code
  
Full Stacktrace:

  RSP 00007ffe00562fe0 RIP 0000564e04f13ab9  [image code] com.oracle.svm.core.jdk.VMErrorSubstitutions.shutdown(VMErrorSubstitutions.java:112)
  RSP 00007ffe00562fe0 RIP 0000564e04f13ab9  [image code] com.oracle.svm.core.util.VMError.shouldNotReachHere(VMError.java:74)
  RSP 00007ffe00563000 RIP 0000564e04f13a3c  [image code] com.oracle.svm.core.util.VMError.shouldNotReachHere(VMError.java:59)
  RSP 00007ffe00563010 RIP 0000564e04ed3bb2  [image code] com.oracle.svm.core.jdk.JceSecurityUtil.shouldNotReach(SecuritySubstitutions.java:274)
  RSP 00007ffe00563040 RIP 0000564e05385ab7  [image code] javax.crypto.JceSecurity.getCodeBase(JceSecurity.java:238)
  RSP 00007ffe00563040 RIP 0000564e05385ab7  [image code] javax.crypto.JceSecurity.getVerificationResult(JceSecurity.java:189)
  RSP 00007ffe00563080 RIP 0000564e0538e850  [image code] javax.crypto.JceSecurity.canUseProvider(JceSecurity.java:204)
  RSP 00007ffe00563080 RIP 0000564e0538e850  [image code] javax.crypto.SecretKeyFactory.nextSpi(SecretKeyFactory.java:295)
  RSP 00007ffe005630d0 RIP 0000564e0538dbf8  [image code] javax.crypto.SecretKeyFactory.<init>(SecretKeyFactory.java:121)
  RSP 00007ffe00563110 RIP 0000564e05498539  [image code] javax.crypto.SecretKeyFactory.getInstance(SecretKeyFactory.java:160)
  RSP 00007ffe00563110 RIP 0000564e05498539  [image code] org.bouncycastle.jcajce.util.DefaultJcaJceHelper.createSecretKeyFactory(Unknown Source)
  RSP 00007ffe00563110 RIP 0000564e05498539  [image code] org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
  RSP 00007ffe00563170 RIP 0000564e05497baa  [image code] org.bouncycastle.openssl.jcajce.PEMUtilities.getKey(Unknown Source)
  RSP 00007ffe00563170 RIP 0000564e05497baa  [image code] org.bouncycastle.openssl.jcajce.PEMUtilities.crypt(Unknown Source)
  RSP 00007ffe00563200 RIP 0000564e05496cc1  [image code] org.bouncycastle.openssl.jcajce.JcePEMDecryptorProviderBuilder$1$1.decrypt(Unknown Source)
  RSP 00007ffe00563230 RIP 0000564e0548a9d8  [image code] org.bouncycastle.openssl.PEMEncryptedKeyPair.decryptKeyPair(Unknown Source)
  RSP 00007ffe00563270 RIP 0000564e04f5e029  [image code] com.oracle.svm.reflect.PEMEncryptedKeyPair_decryptKeyPair_b6d8cf7709a2560cbf292e006bef781cb5beb51f.invoke(Unknown Source)
  RSP 00007ffe005632b0 RIP 0000564e050b82af  [image code] java.lang.reflect.Method.invoke(Method.java:498)
  RSP 00007ffe005632f0 RIP 0000564e04e20cd9  [image code] clojure.lang.Reflector.invokeMatchingMethod(Reflector.java:167)
  RSP 00007ffe00563370 RIP 0000564e04e20383  [image code] clojure.lang.Reflector.invokeInstanceMethod(Reflector.java:102)
  RSP 00007ffe005633a0 RIP 0000564e04d1e12c  [image code] buddy.core.keys.pem$read_privkey.invokeStatic(pem.clj:52)
  RSP 00007ffe005633f0 RIP 0000564e04d1d594  [image code] buddy.core.keys.pem$read_privkey.invoke(pem.clj:43)
  RSP 00007ffe005633f0 RIP 0000564e04d1d594  [image code] buddy.core.keys$str__GT_private_key.invokeStatic(keys.clj:68)
  RSP 00007ffe00563420 RIP 0000564e04e68b03  [image code] buddy.core.keys$str__GT_private_key.invoke(keys.clj:62)
  RSP 00007ffe00563420 RIP 0000564e04e68b03  [image code] com.atomist.clj_token.tokens$sign.invokeStatic(tokens.clj:69)
  RSP 00007ffe00563460 RIP 0000564e053c30bd  [image code] com.atomist.clj_token.tokens$sign.invoke(tokens.clj:60)
  RSP 00007ffe00563460 RIP 0000564e053c30bd  [image code] jwt_creator.jwt$sign_token.invokeStatic(jwt.clj:39)
  RSP 00007ffe00563490 RIP 0000564e053c21fe  [image code] jwt_creator.jwt$sign_token.invoke(jwt.clj:35)
  RSP 00007ffe00563490 RIP 0000564e053c21fe  [image code] jwt_creator.core$_main.invokeStatic(core.clj:12)
  RSP 00007ffe005634d0 RIP 0000564e053c215b  [image code] jwt_creator.core$_main.invoke(core.clj:6)
  RSP 00007ffe00563510 RIP 0000564e04daa8d2  [image code] clojure.lang.AFn.applyToHelper(AFn.java:171)
  RSP 00007ffe00563660 RIP 0000564e04da9cbc  [image code] clojure.lang.AFn.applyTo(AFn.java:144)
  RSP 00007ffe00563680 RIP 0000564e053c22da  [image code] jwt_creator.core.main(Unknown Source)
  RSP 00007ffe005636a0 RIP 0000564e04e9a365  [image code] com.oracle.svm.core.JavaMainWrapper.run(JavaMainWrapper.java:153)
  RSP 00007ffe005636e0 RIP 0000564e04eaf0d7  [image code] com.oracle.svm.core.code.IsolateEnterStub.JavaMainWrapper_run_5087f5482cc9a6abc971913ece43acb471d2631b(IsolateEnterStub.java:0)
  
[Native image heap boundaries: 
  ReadOnly Primitives: 0x564e0593d008 .. 0x564e05ee9df0
  ReadOnly References: 0x564e05eeaaa0 .. 0x564e0614c9c8
  Writable Primitives: 0x564e0614d000 .. 0x564e06255eb0
  Writable References: 0x564e06255ec8 .. 0x564e065bc788]


[Heap:
  [Young generation: 
    [youngSpace:
      aligned: 1044432/1 unaligned: 0/0
      aligned chunks:
        0x7fc22bc00000 (0x7fc22bc01030-0x7fc22bc01520)]]
  [Old generation: 
    [fromSpace:
      aligned: 0/0 unaligned: 0/0]
    [toSpace:
      aligned: 0/0 unaligned: 0/0]
    [pinnedFromSpace:
      aligned: 0/0 unaligned: 0/0]
    [pinnedToSpace:
      aligned: 0/0 unaligned: 0/0]]
  [Unused:
    aligned: 0/0]]

Fatal error: javax.crypto.JceSecurity.getCodeBase(Class) is reached at runtime. This should not happen. The contents of JceSecurity.verificationResults are computed and cached at image build time. Try enabling all security services with --enable-all-security-services.

[JulienNevo]

@kipz Did you manage to resolve your problem? I have the same error and more or less the same stacktrace, but have no idea how to resolve the problem. Thanks.

[kipz]

@JulienNevo sadly I did not, but I'm still very keen to make some progress somehow.

[mbruess1]

@JulienNevo @kipz I ran into the same error (using bouncy castle) as you. Were you able to resolve it by now?

[kipz]

@mbruess1 still not! :(

[Jotschi]

I encountered the same error while running the following code:

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.util.Objects;

import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
…
	KeyGenerator keygen = KeyGenerator.getInstance("HmacSHA256");
	SecretKey key = keygen.generateKey();

	KeyStore keystore = KeyStore.getInstance("jceks");
	keystore.load(null, null);

	// This call throws an exception
	keystore.setKeyEntry("HS256", key, keystorePassword.toCharArray(), null);
	FileOutputStream fos = new FileOutputStream(keystoreFile);
	try {
		keystore.store(fos, keystorePassword.toCharArray());
		fos.flush();
	} finally {
		fos.close();
	}

I ran my build with graalvm java8-19.3.0 and the following args:

<buildArgs>-H:+ReportUnsupportedElementsAtRuntime
	-Dfile.encoding=UTF-8
	--allow-incomplete-classpath
	-H:+AddAllCharsets
	-Dlog4j2.jmx.disable=true
	--enable-https
	--enable-http
	--enable-all-security-services
</buildArgs>

[crumohr]

Same here when using quarkus in combination with bouncy castle. I also had to provide a quite extensive src/main/resources/META-INF/native-image/reflect-config.json to get up to this point at all due to the heavy reliance of bouncy castle on reflections.

/Library/Java/JavaVirtualMachines/graalvm-ce-java11-19.3.1/Contents/Home/bin/native-image
-J-Dsun.nio.ch.maxUpdateArraySize=100
-J-Djava.util.logging.manager=org.jboss.logmanager.LogManager
-J-Dvertx.logger-delegate-factory-class-name=io.quarkus.vertx.core.runtime.VertxLogDelegateFactory
-J-Dvertx.disableDnsResolver=true
-J-Dio.netty.leakDetection.level=DISABLED
-J-Dio.netty.allocator.maxOrder=1
-J-Dcom.sun.xml.bind.v2.bytecode.ClassTailor.noOptimize=true
--initialize-at-build-time= -H:InitialCollectionPolicy=com.oracle.svm.core.genscavenge.CollectionPolicy$BySpaceAndTime
-jar demo-app-1.0.0-SNAPSHOT-runner.jar
-H:FallbackThreshold=0
-H:+ReportExceptionStackTraces
-H:-AddAllCharsets -H:EnableURLProtocols=http,https
--enable-all-security-services -H:+JNI --no-server
-H:-UseServiceLoaderFeature
-H:+StackTrace demo-app-1.0.0-SNAPSHOT-runner

[sendev1]

I am facing this same issue with 20.0.3-dev release as well with bouncy castle. I am using --enable-all-security-services with my native-image command. Could some please help me if you were able to resolve this issue.

[sendev1]

@hhandoko @kipz were you able to solve this issue. Looks like no response from Oracle since April 2019. I got stuck with this and need some help to move forward.

[reddigfabian]

I'm also running into this error using the Gluon maven plugin to try and build ios/android/desktop applications. Below is my plugin configuration and relevant source code:

<plugin>
                <groupId>com.gluonhq</groupId>
                <artifactId>client-maven-plugin</artifactId>
                <version>${client.plugin.version}</version>
                <configuration>
                    <target>${client.target}</target>
                    <nativeImageArgs>-J-Djava.security.properties=java.security.overrides</nativeImageArgs>
                    <nativeImageArgs>--enable-all-security-services</nativeImageArgs>
                    <attachList>
                        <list>display</list>
                        <list>lifecycle</list>
                        <list>statusbar</list>
                        <list>storage</list>
                    </attachList>
                    <bundlesList>
                        <list>com.gluonapplication.views.primary</list>
                        <list>com.gluonapplication.views.secondary</list>
                    </bundlesList>
                    <reflectionList>
                        <list>com.gluonapplication.views.PrimaryPresenter</list>
                        <list>com.gluonapplication.views.SecondaryPresenter</list>
                        <list>org.bouncycastle.jcajce.provider.symmetric.AES$Mappings</list>
                    </reflectionList>
                    <mainClass>${mainClassName}</mainClass>
                </configuration>
            </plugin>

java.security.overrides contains the following:

security.provider.3=org.bouncycastle.jce.provider.BouncyCastleProvider

public class GluonApplication extends MobileApplication {

    private Provider provider;
    private static final String CIPHER_ALGORITHM = "AES";
    private static final String KEYPAIR_GENERATOR_ALGORITHM = "RSA";
    private static final String KEY_GENERATOR_ALGORITHM = "AES";
    private static final String KEY_FACTORY_ALGORITHM = "RSA";
    private static final String KEY_STORE_TYPE = "PKCS12";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final String HASH_ALGORITHM = "PBKDF2WithHmacSHA256";
    private static final String TEMPORAL_KEY_ALGORITHM = "RSA";
    private static final int AES_KEY_SIZE = 256;
    private static final int RSA_KEY_SIZE = 2048;
    private File KEY_STORE_FILE;
    private static final String KEY_STORE_NAME = "keyStore";
    private static final String KEY_STORE_DIRECTORY_NAME = "security";
    private final KeyGenerator[] keyGenerators = new KeyGenerator[TOTAL_CIPHER_UNITS];
    private final Cipher[] temporalKeyEncrypters = new Cipher[TOTAL_CIPHER_UNITS];
    private final Cipher[] temporalKeyDecrypters = new Cipher[TOTAL_CIPHER_UNITS];
    private final Cipher[] payloadEncrypters = new Cipher[TOTAL_CIPHER_UNITS];
    private final Cipher[] payloadDecrypters = new Cipher[TOTAL_CIPHER_UNITS];
    private final KeyFactory[] keyFactories = new KeyFactory[TOTAL_CIPHER_UNITS];
    private final Signature[] signers = new Signature[TOTAL_CIPHER_UNITS];
    private static final int TOTAL_CIPHER_UNITS = 14;

    @Override
    public void init() {
        securityTest();
        AppViewManager.registerViewsAndDrawer(this);
    }

    @Override
    public void postInit(Scene scene) {
        Swatch.BLUE.assignTo(scene);

        scene.getStylesheets().add(GluonApplication.class.getResource("style.css").toExternalForm());
        ((Stage) scene.getWindow()).getIcons().add(new Image(GluonApplication.class.getResourceAsStream("/icon.png")));
    }

    public static void main(String args[]) {
        launch(args);
    }

    private void securityTest() {
        Security.removeProvider("BC");
        // also remove not sufficient AndroidOpenSSL provider for X.509 - most likely only needed if BouncyCastleJsseProvider is used
        Security.removeProvider("AndroidOpenSSL");
        // touch the internal Providers class to trigger the static provider loading
        // see http://androidxref.com/9.0.0_r3/xref/libcore/ojluni/src/main/java/sun/security/jca/Providers.java#SYSTEM_BOUNCY_CASTLE_PROVIDER
        try {
            Class.forName("sun.security.jca.Providers");
        } catch (ClassNotFoundException e) {
            throw new RuntimeException(String.format("%s to patch not found.", "sun.security.jca.Providers"), e);
        }
        provider = new BouncyCastleProvider();

        Security.insertProviderAt(provider, 0);

        final File keyStoreDirectory = new File(System.getProperty("user.home"), KEY_STORE_DIRECTORY_NAME);
        // make sure that the path to the directory
        keyStoreDirectory.mkdirs();
        // create the key store file object
        KEY_STORE_FILE = new File(keyStoreDirectory, KEY_STORE_NAME);

        for (int i = 0; i < TOTAL_CIPHER_UNITS; i++) {
            try {
                // we init the key generator with the AES key size
                keyGenerators[i] = KeyGenerator.getInstance(KEY_GENERATOR_ALGORITHM, provider);
                keyGenerators[i].init(AES_KEY_SIZE);
                temporalKeyEncrypters[i] = Cipher.getInstance(TEMPORAL_KEY_ALGORITHM, provider);
                temporalKeyDecrypters[i] = Cipher.getInstance(TEMPORAL_KEY_ALGORITHM, provider);
                payloadEncrypters[i] = Cipher.getInstance(CIPHER_ALGORITHM, provider);
                payloadDecrypters[i] = Cipher.getInstance(CIPHER_ALGORITHM, provider);
                keyFactories[i] = KeyFactory.getInstance(KEY_FACTORY_ALGORITHM, provider);
                signers[i] = Signature.getInstance(SIGNATURE_ALGORITHM, provider);
            } catch (NoSuchPaddingException | NoSuchAlgorithmException ex) {
                ex.printStackTrace();
            }
        }
    }
}

[cstancu]

As I mentioned in a related issue the Bouncy Castle, and all other providers, need to be registered and verified at Native Image build time. See: #2800 (comment).

[reddigfabian]

With all the same code as my comment above, I added the following:

In the gluon plugin config (passes cmd line arg to native-image):

<nativeImageArgs>--rerun-class-initialization-at-runtime=org.bouncycastle.jcajce.provider.symmetric.AES$Mappings</nativeImageArgs>

In my dependencies:

        <dependency>
            <groupId>org.graalvm.nativeimage</groupId>
            <artifactId>svm</artifactId>
            <version>20.1.0</version>
            <scope>compile</scope>
        </dependency>

In src/main/java/com.gluonapplication:

import com.oracle.svm.core.annotate.AutomaticFeature;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.graalvm.nativeimage.hosted.Feature;
import org.graalvm.nativeimage.hosted.RuntimeClassInitialization;

import java.security.Security;

@AutomaticFeature
public class BouncyCastleFeature implements Feature {

    @Override
    public void afterRegistration(AfterRegistrationAccess access) {
        RuntimeClassInitialization.initializeAtBuildTime("org.bouncycastle");
        Security.addProvider(new BouncyCastleProvider());
    }

}

This results in the following stacktrace on build:

[Fri Oct 02 22:44:56 EDT 2020][INFO] We will now compile your code for arm64-apple-ios. This may take some time.
[Fri Oct 02 22:44:57 EDT 2020][INFO] [SUB] Warning: Using a deprecated option --rerun-class-initialization-at-runtime. Currently there is no replacement for this option. Try using --initialize-at-run-time or use the non-API option -H:ClassInitialization directly.
[Fri Oct 02 22:45:00 EDT 2020][INFO] [SUB] [com.gluonapplication.gluonapplication:97855] classlist: 3,441.86 ms, 0.96 GB
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] [com.gluonapplication.gluonapplication:97855] setup: 506.92 ms, 0.96 GB
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] Error: Already registered: java.util.zip.ZipFile$CleanableResource.get(ZipFile, File, int)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] com.oracle.svm.core.util.UserError$UserException: Already registered: java.util.zip.ZipFile$CleanableResource.get(ZipFile, File, int)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.core.util.UserError.abort(UserError.java:68)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.core.util.UserError.guarantee(UserError.java:92)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.register(AnnotationSubstitutionProcessor.java:724)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.handleMethodInAliasClass(AnnotationSubstitutionProcessor.java:338)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.handleAliasClass(AnnotationSubstitutionProcessor.java:302)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.handleClass(AnnotationSubstitutionProcessor.java:274)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.substitute.AnnotationSubstitutionProcessor.init(AnnotationSubstitutionProcessor.java:230)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.NativeImageGenerator.createDeclarativeSubstitutionProcessor(NativeImageGenerator.java:915)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.NativeImageGenerator.setupNativeImage(NativeImageGenerator.java:852)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.NativeImageGenerator.doRun(NativeImageGenerator.java:553)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at com.oracle.svm.hosted.NativeImageGenerator.lambda$run$0(NativeImageGenerator.java:468)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at java.base/java.util.concurrent.ForkJoinTask$AdaptedRunnableAction.exec(ForkJoinTask.java:1407)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:290)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1020)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1656)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1594)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:183)
[Fri Oct 02 22:45:01 EDT 2020][INFO] [SUB] Error: Image build request failed with exit status 1
[Fri Oct 02 22:45:01 EDT 2020][SEVERE] Process compile failed with result: 1
Check the log files under /Users/fabianreddig/IdeaProjects/GluonMobile-MultipleViewProjectwithGlistenAfterburner/target/client/arm64-ios/gvm/log
And please check https://docs.gluonhq.com/client/ for more information.
[Fri Oct 02 22:45:01 EDT 2020][INFO] Logging process [compile] to file: /Users/fabianreddig/IdeaProjects/GluonMobile-MultipleViewProjectwithGlistenAfterburner/target/client/log/process-compile-1601693101401.log
[Fri Oct 02 22:45:01 EDT 2020][SEVERE] Compiling failed.
Check the log files under /Users/fabianreddig/IdeaProjects/GluonMobile-MultipleViewProjectwithGlistenAfterburner/target/client/arm64-ios/gvm/log
And please check https://docs.gluonhq.com/client/ for more information.

Edit:
Seems like this only happens once I add the dependency. Do I have a mismatch between my actual GraalVM version and the dependency I'm using?

fabianreddig@Fabians-MacBook-Pro GluonMobile-MultipleViewProjectwithGlistenAfterburner % java -version
openjdk version "11.0.8" 2020-07-14
OpenJDK Runtime Environment GraalVM CE 20.2.0 (build 11.0.8+10-jvmci-20.2-b03)
OpenJDK 64-Bit Server VM GraalVM CE 20.2.0 (build 11.0.8+10-jvmci-20.2-b03, mixed mode, sharing)

Edit:
I believe this error occured due to the dependency scope being "compile" instead of "provided"

[reddigfabian]

@cstancu So after a bunch more testing, reading, googling, testing, and trying random stuff, I am still receiving the Fatal error: javax.crypto.JceSecurity.getCodeBase(Class) is reached at runtime. failure despite the suggested fixes. I've gone ahead and put a repo on github to reproduce the issue: https://github.com/reddigfabian/GluonGraalTest.

I built this using the "Gluon Mobile - Multiple View Project with Glisten Afterburner" template provided by the Gluon plugin and am using GraalVM CE 20.2.0 (build 11.0.8+10-jvmci-20.2-b03).

[alaakaazaam]

Hi guys, i discuss the same situation here : https://www.reddit.com/r/graalvm/comments/jnzo2d/graalvm_bouncycastle/